Hi Jason, Stevens says, "When the resolver issues a query and the response comes back with the TC bit set ("truncated") it means the size of the response exceeded 512 bytes, so only the first 512 bytes were returned by the server. The resolver normally issues the request again, using TCP. This allows more than 512 bytes to be returned." Now when you mention 'blocking' it, I assume you're talking about blocking TCP 53 from external networks incoming to your internal network(s) with some sort of firewall device. So, if you have any host entries in which the data returned to resolver is greater than 512 bytes (fairly common for large round robin entries), then it could possibly break resolution or at least cripple functionality for some external users depending on how their DNR handles the absence of TCP DNS resolution. Thanks, Abe Abe L. Getchell - Security Engineer Division of System Support Services Kentucky Department of Education Voice 502-564-2020x225 E-mail agetchelat_private Web http://www.kde.state.ky.us/ > -----Original Message----- > From: Jason Lewis [mailto:jlewisat_private] > Sent: Saturday, May 05, 2001 12:36 PM > To: INCIDENTSat_private > Subject: DNS ports and scans > > > DNS queries are on UDP port 53. TCP port 53 is used for zone > transfers. By > blocking TCP port 53 I can't do zone transfers, but clients > can still do > lookups on UDP 53. Since I have blocked TCP port 53, I have > seen a decrease > in attack attempts on my name servers, primarily because that > port isn't > open. I do still see scans for the DNS ports, but nothing > more than a port > scan. > > My question is...Can anyone come up with any pros/cons of doing this? > > My name servers are successfully serving my domains, so I don't see a > downside. Thoughts? > > Jason Lewis > http://www.rivalpath.com > "All you can do is manage the risks. There is no security." >
This archive was generated by hypermail 2b30 : Mon May 07 2001 - 08:00:33 PDT